November 26, 2007
http://www.atmmarketplace.com/article.php?id=9446&prc=25&page=58
SURVEY: 3,000 retailers have wireless data-security
vulnerabilities
AirDefense, which launched the wireless LAN security market, has released results from
its 2007 Retail Shopping Wireless Security Survey of wireless data-and physical-security
practices at more than 3,000 retail stores throughout the United States and parts of
Europe. Cities covered include Atlanta, Boston, Chicago, Los Angeles, New York City,
San Francisco, London and Paris.
Research was conducted in busy shopping areas, including Rodeo Drive in Beverly Hills,
Madison Ave. and 5th Ave. in New York City, Michigan Ave. in Chicago, and Union
Square and Market Street in San Francisco.
AirDefense discovered that more than 2,500 wireless devices, such as laptops, hand-
helds, and barcode scanners, are being used by retailers, yet 85 percent of those devices
could have been compromised or are at risk of having data stolen because of data
leakage, misconfigured access points, poor naming choices for access points, outdated
access-point firmware and a “cookie-cutter” technology approach. A so-called cookie-
cutter approach occurs when the same technology is used in all retail locations, so
vulnerabilities repeat themselves across the entire store’s chain.
According to a news release, some of the networks used were “fresh from the box,” using
default configurations and SSID (service set identification), such as retail wireless, POS
WIFI, or store#1234
Data leakage then occurs when a company adds wireless functionality to an existing
wired network. Point-of-sale information on products, and possibly consumer credit-card
information, can leak out to the wireless airwaves and be stolen.
According to AirDefense, consequences of wireless-security vulnerabilities are difficult
to quantify.
As part of its research, AirDefense also monitored nearly 5,000 access points, the
hardware that connects wireless devices to wired computer networks. It found that 25
percent of those access points were unencrypted, while 74 percent were encrypted. Also,
25 percent of retailers surveyed used wired equivalent privacy (WEP), one of the weakest
protocols for wireless data encryption, AirDefense says, while 49 percent use WI-FI
protected access (WPA) or WPA 2, the two strongest encryption protocols for theft
prevention.
The most common data-security lapses involved misconfigured access points that open
backdoors to data. On several occasions, larger retailers had configured access points to
work with WPA but had not switched off WEP. In addition, many retailers use their store
name, the name assigned by the equipment vendor to the wireless network during
installation, in the SSID, which gives away a retailer’s identity. SSIDs can easily be
reconfigured, but often times are not.
AirDefense says most retailers seem to maintain stronger physical security than wireless
security, since 95 percent of retailers had some form of physical security system, such as
an RFID security alarm, in place. Additionally, nearly 70 percent had security cameras
installed and roughly 10 percent employed guards at exit doors.
“Retailers around the country are leaving the ‘proverbial’ barn-door open for potential
problems,” said Richard Rushing, the survey organizer and chief security officer of
AirDefense. “Protecting consumer and retailer information is the most important job for
retailers. A layered wireless-security approach is the only way to prevent proprietary
information from disappearing.”